We add the user that logs on to the group with group policy preference. We have set it up as such: Group name
Administrators (built-in) Current user Add Delete all member users Enabled Delete all member groups Enabled Some more info here: www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/<http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/> Met vriendelijke groet, Erik Cramer [Description: Beschrijving: Beschrijving: Beschrijving: Beschrijving: Beschrijving: amcsmaller] Algemene Dienst ICT Workspace Management Academisch Medisch Centrum Meibergdreef 9 1105 AZ Amsterdam Zuidoost T: +3120 56 63737 E: e.j.cra...@amc.nl<mailto:e.j.cra...@amc.nl> L: HA1-069 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ryan Sent: Friday, December 5, 2014 17:51 To: scripting@lists.myitforum.com Subject: Re: [scripting] Odd script request - something I can push via sccm that will add all the user profiles that logged in to local admin Why not add the interactive user to local admins: http://qvlweb.blogspot.com/2008/08/give-logged-in-user-local-administrator.html Anyone who logs into a computer locally will have admin rights and they lose them when they log out. They will also not have admin rights remotely, so no RDP for admin rights. On Fri, Dec 5, 2014 at 9:31 AM, Burke, John <john.bu...@bellaliant.ca<mailto:john.bu...@bellaliant.ca>> wrote: I have a script that is working but the delimitation is mucking it up. It works if you have just your domain\userid in the profile list in registry. But if you have domain\userdid.domain it bombs because of the .. Wondering if anyone would be able to look at it and see a simle change i can make to make it work properly (or maybe there is a better way to do it. Even if i had something that i could run on a standard user, that would add the currently logged in user to local admin via sccm that would wrok too). **** it's pretty small script **** On Error Resume Next Const HKEY_LOCAL_MACHINE = &H80000002 strComputer = "." Set objRegistry=GetObject("winmgmts:\\" & _ strComputer & "\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys For Each objSubkey In arrSubkeys strValueName = "ProfileImagePath" strSubPath = strKeyPath & "\" & objSubkey objRegistry.GetExpandedStringValue HKEY_LOCAL_MACHINE,strSubPath,strValueName,strValue profilearray = Split(strvalue,"\") For Each x In profilearray UserID=x Next Set objLocalAdminGroup = GetObject("WinNT://" & strComputer & "/Administrators") objLocalAdminGroup.Add("WinNT://domain1/" & UserID) objLocalAdminGroup.Add("WinNT://domain2/" & UserID) Next ________________________________ AMC Disclaimer : http://www.amc.nl/disclaimer ________________________________
